Skip to content
Naked Security Naked Security

Wait, this email isn’t for me – what’s it doing in my inbox?

Emails can contain confidential information and are often sent to the wrong person, yet many businesses don't even bother to verify addresses when you sign up with them. What can be done?

For as long as email has been in the mainstream, stories abound about how messages have reached the wrong recipient to embarrassing or detrimental consequences. Perhaps a mis-sent shipping notification from a retailer isn’t a big deal, but a financial email containing with sensitive information definitely shouldn’t land in the wrong inbox.

Recently this topic came up on Ask Slashdot via user periklisv, with the pointed question: What do you do when you get a misdirected email?

Over the past six months, some dude in Australia (I live in the EU) who happens to have the same last name as myself is using [my email address] to sign up to all sorts of services… how do you cope with such a case, especially nowadays that sites seem to ignore the email verification for signups?

The thread is full of anecdata of emails sent to the wrong recipients, often full of embarrassing or sensitive information — bank statements, loan information, lawyer correspondences.

A quick search reveals that this issue comes up in the news on a larger scale with some frequency. For example, in 2012, a company accidentally emailed an employee termination notice to all of their 1,300 global employees instead of just one. Thankfully, people quickly caught on that this email wasn’t meant to go on blast (unfortunately for the person who was still fired).

These mistakes, though rather innocuous, are usually made by someone omitting a character, making a typo, or mixing up domain names or extensions (.com instead of .net, Yahoo instead of Gmail) in a rushed moment, are usually resolved by a quick “hey, you sent this to the wrong person” reply.

But what happens if a misdirected personal email lands in the inbox of someone who might not be so honest? Or what happens when a large company sends out confidential information via email to unintended recipients?

Just one example: a representative from Rocky Mountain Bank sent sensitive customer loan information to the wrong recipient via email and sued Google to try to quash the breach and keep the data from spreading any further. (Luckily for the employee, it turned out that the unintended recipient marked the email as spam and never even looked at the email.)

That’s a data breach thanks to a simple typo. In theory, this should be easy enough to avoid.

But this isn’t a new problem. In fact, in 2011, several security researchers highlighted exactly how an enterprising criminal could typosquat on a number of domain names to wait for confidential information to come across from misdirected emails, like a trapdoor spider waiting for its prey. The researchers captured more than 20GB of data from 120,000 misdirected emails meant for Fortune 500 companies in the span of six months.

The difference between the legitimate email addresses and the ones used by the security researchers? A simple dot — that’s all.

As with so many security issues that are ultimately based on habit and human error, mitigating this issue can be easier than done. Many people know they shouldn’t send sensitive information via email, but inevitably some do it anyway out of (what they see as) necessity.

Of course, robust data and email policies to filter and/or block confidential information from egressing via email can certainly help. There are additional technical approaches we would also recommend:

Email verification for signup forms: People are in a hurry and make mistakes. It’s always going to happen. As identified by the Slashdot poster, the simple step of adding an email verification step to a sign-up process would do much to reduce misdirected emails.

Make it easier to for employees to stop hitting the “attach” button: We follow the path of least resistance — if it’s too difficult to collaborate or share by any other method, people will stick with what they know and what’s fastest. Centralized file repositories internally or in the cloud (like Dropbox), when implemented well, can make using email attachments less appealing by comparison.

Encrypt: Another possible failsafe is to encrypt everything that’s outgoing – that way even if the email does end up in the wrong hands, there’s not much the recipient can do with it.

Are misdirected emails an issue where you work? Have you managed to make them an issue of the past? We welcome your thoughts or tips on how to mitigate this issue in the comments.


I’ve had some dude use my email to sign in to Apple. I called them and told them and since they had other contact details they sorted it out with the guy, I’ve heard nothing further. But it’s a pain, I can tell ya.


Happens to me all the time. My email address (formed in 1995 when the ISP was just starting and the namespace was tiny) is of the form [MySurname] As it happens, my surname matches a common first name followed by “s”. I regularly get the mail of others, either through transcription errors or, more commonly, because someone with the same ID on a different domain enters the wrong domain.

Since I’m unable to contact the mailjacker, I take the following steps:
–Respond to the sender if possible with a “not me” email.
–Unsubscribe or cancel the account if it’s social media. Sometimes I have to do the “Forgot password” dance to do this.
–In one hilarious exercise I got signed up for fantasy baseball and couldn’t unsubscribe or cancel. I was getting daily emails. So I did the “Forgot password” dance and then logged in and traded every player on the roster for a pitcher! I had a team of 27 pitchers and no other positions! Two days later the emails stopped!


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!